PHP Prepared Statement - 动态Vars元素错误数

时间:2017-06-13 16:44:49

标签: php mysql prepared-statement

我之前的问题已经结束,因为他们说这是重复的,但重复的帖子没有回答我的问题。所以我再来一次,我在编辑部分添加了一些额外的评论来说明为什么重复的帖子没有帮助我。

我正在尝试动态构建一个预准备语句,并且我不断收到以下错误:

  

mysqli_stmt_bind_param():类型定义字符串中的元素数       与

中的绑定变量数不匹配

当我回显我的语句时,类型定义的数量与绑定变量匹配,所以我不知道出了什么问题。我认为我的代码可能是传递字符串,引号或其他东西而不是变量,但我是准备语句的新手,不知道如何检查我的查询。使用简单mysqli_query时,我可以回显查询,看看我的错误是在。我不知道如何用准备好的语句做到这一点,所以我希望有人可以帮助发现我的错误。

我正在尝试动态构造prepares语句,以便我可以重用代码,如下所示:

$db = mysqli_stmt_init($dbconnection);

// I have looped through my fields and constructed a string that when 
// echoed returns this:
// ?, ?, ?, ?, 
// I use sub str just to remove the last comma and space leaving me 
// with the string
// ?, ?, ?, ?. 
// Ive echoed this to the browser to make sure it is correct.

$preparedQs = substr($preparedQs, 0, -2);

 // I then loop through each field using their datatype and constructs
 // the type string as follows ssss. Ive echoed this to the browser to 
 // make sure it is correct.

$preparedType = 'ssss';

 // I then loop through my post array verifying and cleaning the data 
 // and then it constructing a string of clean values that results in
 // Mike, null, Smith, Sr., (First, Middle, Last, Suffix) I use substr 
 // again just to remove the last comma and space. Ive echoed this to 
 // the browser to make sure it is correct.

    $cleanstr = substr($cleanstr, 0, -2);

 // I then explode that string into a an array that I can loop through 
 // and assign/bind each value to a variable as follows and use substr
 // again to remove last comma and space.

    $cleanstr = explode(", ", $cleanstr);
    $ct2 = 0;
    foreach ( $cleanstr as $cl){
        $name = "a".$ct2;
        $$name = $cl;
        $varstr .= "$".$name.", ";
        $ct2 = $ct2 +1;    
    }
   $varstr = substr($varstr, 0, -2);

 // I've echoed the $varstr to the browser and get $a1, $a2, $a3, $a4.
 // I have also echo their value outside of the loop and know values 
 // have been assigned.

 // I then try to assign each step above the appropriate 
 // prepared statement place holder

   $stmt = mysqli_stmt_prepare($db, "INSERT INTO Contacts VALUES (". $preparedQs. ")");
    mysqli_stmt_bind_param($db, "'".$preparedType."'", $varstr);
    mysqli_stmt_execute($stmt);

我不确定我做错了什么,因为当我回复$preparedQs$preparedType$varstr时,他们都拥有相同数量的元素但我得到了“ mysqli_stmt_bind_param():类型定义字符串中的元素数与...中的绑定变量数不匹配。所有我能想到的是我有引号或其他我不应该的东西,但我已尝试在某些区域添加和删除引号,并且无法解决错误。

另外,我读了一些关于在预准备语句中传递null的帖子,但即使我用实际值替换null,我仍然会得到相同的错误。

值得注意的是,使用简单的程序mysqli_querymysqli_real_escape_string来清理数据时,工作正常。我试图通过将我的应用程序转换为准备好的语句来提高我的安全性,只是为了增加安全性。

这个问题因两个原因而有所不同

  1. 我使用的是程序编码,而不是对象或PDO。因此,对于准备好的陈述不熟悉,即使在试图理解它们之后,给出的例子也没有用。

  2. 我使用的是insert语句,而不是select或update语句,在过程php中,查询字符串的编写方式与insert或者select语句不同。

    3. //更新的代码

    global $dbconnection;
if(!$dbconnection){
    die("Function wm_dynamicForm connection failed.</br>");
} else {
    //echo "</br>Function wm_connectionToDatabase connection success</br>";
}
$db = mysqli_stmt_init($dbconnection);
$preparedQs = substr($preparedQs, 0, -2); //removes the end , from my string
$cleanstr = substr($cleanstr, 0, -2); //removes the end , from my string
$cleanstr = explode(", ", $cleanstr);
$ct = 0;
foreach ( $cleanstr as $cl){
    $items[] = array(
        'a'.$ct => $cl,
    );
    $ct = $ct + 1;
}

$stmt = mysqli_stmt_prepare($db, "INSERT INTO Contacts VALUES (". $preparedQs. ")");
mysqli_stmt_bind_param($db, $preparedType, ...$items);
mysqli_stmt_execute($stmt);
if(!mysqli_stmt_execute($stmt)){ 
echo "Error: ".mysqli_error($db); 
}

3 个答案:

答案 0 :(得分:2)

您可以使用名为解包运算符/ elipsies ...的php 5.6功能进行动态绑定。

$db = mysqli_connect('localhost', 'root', 'pass', 'database');


$data = array('name' => 'foo', 'age' => 99, 'email' => 'abc@abc.com');

$stmt = mysqli_stmt_prepare($db, "INSERT INTO Contacts VALUES (". $preparedQs. ")");
mysqli_stmt_bind_param($db, $preparedType, ...$data);
mysqli_stmt_execute($stmt);

答案 1 :(得分:0)

尝试在准备好的声明中使用这样的。

$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test";
$conn = new mysqli($servername, $username, $password, $dbname);
$cleanstr = "John,Dew,Doe,Sr.";
$cleanstr = explode(",", $cleanstr);
$varstr=array();
foreach($cleanstr as $cl){
    $varstr[] = "$".$cl;
}

$operation = "INSERT INTO Contacts (firstname, middlename, lastname, suffix) VALUES (?, ?, ?, ?)";

$callfunc = insertCommon($conn,$varstr, $operation);

function insertCommon($conn,$varstr, $operation){
    $types = "";
    foreach($varstr as $value)
        $types .= "s";
    $varstr = array_merge(array($types),$varstr);
    $insertQry = $conn->prepare($operation);
    $refArray = array();
    foreach($varstr as $key => $value) $refArray[$key] = &$varstr[$key];
    call_user_func_array(array($insertQry, 'bind_param'), $refArray);
    $insertQry->execute();
    return true;
}

答案 2 :(得分:0)

我以前来过这里,动态预备声明,动态查询准备。

问题不是你的代码到目前为止,问题是你动态准备绑定的sql字段数组。 该数组的索引以零(0)开头,但bindValue的索引需要以一(1)开头。 所以你要做的是让你的字段数组索引从1开始。

在php中,您可以强制数组的默认索引以1而不是零开始。

如果没有错,你有:

 dbfield="username, password, name"

dbvalue="?, ?, ?"

你有一个输入值数组,你正在循环使用:

 foreach($inputarray as $key=>$value){
 // key index must start from 1

 //now you can bind
 bindValue($key, $value);
 }

如果流动的话,请回答接受。

相关问题
最新问题